I've this week changed from Mandriva 2011 to Mageia. I did it because Mandriva no longer seemed to be being developed and also because my installation had a few issues.
I also swapped out the 500gig drive that Mandriva was on and installed Mageia to a 1TB drive but I kept the 500 gig jobbie. To save myself time I just moved things like the config for Sylpheed and Claws from the 5400gig to the 1TB and those are working fine. In trying to find out why a USB 3 disc wasn't being seen, I noticed that dmesg was filling up with messages from Shorewall. I'm not sure if Shorewall ran on Mandriva but certainly I didn't see those messages.
They all appear to be the same though with the exception of the ID which varies. Here's the last two for example [ 6125.561129] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=40:61:86:05:f9:31:00:24:a5:bd:b4:dc:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2897 DF PROTO=TCP SPT=3896 DPT=3389 WINDOW=5840 RES=0x00 SYN URGP=0
[ 6128.560425] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=40:61:86:05:f9:31:00:24:a5:bd:b4:dc:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2898 DF PROTO=TCP SPT=3896 DPT=3389 WINDOW=5840 RES=0x00 SYN URGP=0
On my machine 192.168.1.1 is the router.
Should I be concerned about these messages? If so, what should I do as they're just an irritation at the moment.
On 22/06/13 21:00, Chris Walker wrote:
I've this week changed from Mandriva 2011 to Mageia. I did it because Mandriva no longer seemed to be being developed and also because my installation had a few issues.
I also swapped out the 500gig drive that Mandriva was on and installed Mageia to a 1TB drive but I kept the 500 gig jobbie. To save myself time I just moved things like the config for Sylpheed and Claws from the 5400gig to the 1TB and those are working fine. In trying to find out why a USB 3 disc wasn't being seen, I noticed that dmesg was filling up with messages from Shorewall. I'm not sure if Shorewall ran on Mandriva but certainly I didn't see those messages.
Mandriva was actually the first distro I happened to notice Shorewall on - one of my servers at home is running 2009.1 and it's on there. I don't /think/ Mandriva has stopped being developed, but they seem to have moved to a commercial-only business model so there are no free/open downloads.
They all appear to be the same though with the exception of the ID which varies. Here's the last two for example [ 6125.561129] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=40:61:86:05:f9:31:00:24:a5:bd:b4:dc:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2897 DF PROTO=TCP SPT=3896 DPT=3389 WINDOW=5840 RES=0x00 SYN URGP=0
[ 6128.560425] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=40:61:86:05:f9:31:00:24:a5:bd:b4:dc:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2898 DF PROTO=TCP SPT=3896 DPT=3389 WINDOW=5840 RES=0x00 SYN URGP=0
On my machine 192.168.1.1 is the router.
Should I be concerned about these messages? If so, what should I do as they're just an irritation at the moment.
The destination port (DPT in the logs above) is 3389, which is Microsoft Terminal Server aka remote desktop/RDP (see https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers). An iptables config I got from a well-respected former sysadmin colleague had this, and various other Windows ports like SMB, collectively annotated as "Windows rubbish" and dropped them all.
RDP itself has been subject to several vulnerabilities, for instance - see http://www.tenable.com/blog/remote-access-woes-microsoft-windows-remote-desk... for a link to a couple, but if you're not running Windows machines with this enabled it's not an issue.
Otherwise, this looks at first glance as if it's coming from your router (the SRC of 192.168.1.1). I would be more worried if it was coming from outside as it's exactly the sort of thing your router's firewall should have filtered out already, so it could just be the router looking for "useful services" in order to help setting up. Is it occasional or every few seconds?
Simon
On 22/06/2013 21:00, Chris Walker wrote:
I've this week changed from Mandriva 2011 to Mageia. I did it because Mandriva no longer seemed to be being developed and also because my installation had a few issues.
I also swapped out the 500gig drive that Mandriva was on and installed Mageia to a 1TB drive but I kept the 500 gig jobbie. To save myself time I just moved things like the config for Sylpheed and Claws from the 5400gig to the 1TB and those are working fine. In trying to find out why a USB 3 disc wasn't being seen, I noticed that dmesg was filling up with messages from Shorewall. I'm not sure if Shorewall ran on Mandriva but certainly I didn't see those messages.
They all appear to be the same though with the exception of the ID which varies. Here's the last two for example [ 6125.561129] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=40:61:86:05:f9:31:00:24:a5:bd:b4:dc:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2897 DF PROTO=TCP SPT=3896 DPT=3389 WINDOW=5840 RES=0x00 SYN URGP=0
[ 6128.560425] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=40:61:86:05:f9:31:00:24:a5:bd:b4:dc:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2898 DF PROTO=TCP SPT=3896 DPT=3389 WINDOW=5840 RES=0x00 SYN URGP=0
On my machine 192.168.1.1 is the router.
Should I be concerned about these messages? If so, what should I do as they're just an irritation at the moment.
I can't imagine a router would be trying RDP on another machine. What shorewall logs say is very dependent on the way it has been set up. Whilst it's non-trivial, it's not hard as long as you take it a step at a time, and there are lots of guides. Which config files are amended and the way they are set up is system dependent, so I can't just ask for a listing or two.
I recommend that you go to the following and have a look:
http://www.shorewall.net/shorewall_quickstart_guide.htm
There will probably be a guide for your circumstances. Any specific questions I can probably help.
Cheers, Laurie.
On Mon, 24 Jun 2013 09:59:54 +0100 Laurie Brown laurie@brownowl.com wrote:
On 22/06/2013 21:00, Chris Walker wrote:
I've this week changed from Mandriva 2011 to Mageia. I did it because Mandriva no longer seemed to be being developed and also because my installation had a few issues.
I also swapped out the 500gig drive that Mandriva was on and installed Mageia to a 1TB drive but I kept the 500 gig jobbie. To save myself time I just moved things like the config for Sylpheed and Claws from the 5400gig to the 1TB and those are working fine. In trying to find out why a USB 3 disc wasn't being seen, I noticed that dmesg was filling up with messages from Shorewall. I'm not sure if Shorewall ran on Mandriva but certainly I didn't see those messages.
They all appear to be the same though with the exception of the ID which varies. Here's the last two for example [ 6125.561129] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=40:61:86:05:f9:31:00:24:a5:bd:b4:dc:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2897 DF PROTO=TCP SPT=3896 DPT=3389 WINDOW=5840 RES=0x00 SYN URGP=0
[ 6128.560425] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=40:61:86:05:f9:31:00:24:a5:bd:b4:dc:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2898 DF PROTO=TCP SPT=3896 DPT=3389 WINDOW=5840 RES=0x00 SYN URGP=0
On my machine 192.168.1.1 is the router.
Should I be concerned about these messages? If so, what should I do as they're just an irritation at the moment.
I can't imagine a router would be trying RDP on another machine. What shorewall logs say is very dependent on the way it has been set up. Whilst it's non-trivial, it's not hard as long as you take it a step at a time, and there are lots of guides. Which config files are amended and the way they are set up is system dependent, so I can't just ask for a listing or two.
I recommend that you go to the following and have a look:
http://www.shorewall.net/shorewall_quickstart_guide.htm
There will probably be a guide for your circumstances. Any specific questions I can probably help.
Thanks for your help and thanks to Simon too.
It all started to look horribly complicated for something that I'd never experienced before.
I looked at the sites mentioned and then thought that as the software is new (Mageia that is, not Shorewall) then perhaps there's something amiss there. Sure enough there is - https://forums.mageia.org/en/viewtopic.php?f=8&t=4987
I removed Shorewall, reconfigured it as was suggested and was then asked if I wanted to install it. I've just rebooted for good measure and all the messages have stopped.
I think that's described as an infelicity ;-)
On 24/06/2013 10:35, Chris Walker wrote:
[SNIP]
Thanks for your help and thanks to Simon too.
It all started to look horribly complicated for something that I'd never experienced before.
I looked at the sites mentioned and then thought that as the software is new (Mageia that is, not Shorewall) then perhaps there's something amiss there. Sure enough there is - https://forums.mageia.org/en/viewtopic.php?f=8&t=4987
I removed Shorewall, reconfigured it as was suggested and was then asked if I wanted to install it. I've just rebooted for good measure and all the messages have stopped.
I think that's described as an infelicity ;-)
Happy to help.
Am pretty good with Shorewall, which is a great piece of software, even if it is "just" a wrapper for iptables. I used to manage our firewalls manually, and once set up that wasn't too bad. But maintenance and big changes were a pain: Shorewall sorts that.
Cheers, Laurie.
-
Chris Walker -
Laurie Brown -
Simon Ransome